mj
2019-Mar-08 12:39 UTC
AD ldap, filter to exclude various kinds of expired, disabled etc etc users
Hi, I was revising our AD ldap user_filter and pass_filter to exclude more types of expired / disabled accounts. I started adding things like:> (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608)))but then I thought, why not simply do:> (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))as 512 would your regular active user accounts only, excluding all other account types. Looking here (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) there are some many different userAccountControl to check, that it might be smarter to only allow userAccountControl=512, or....? Any ideas on this..? (or examples of how you do it?) MJ
lists
2019-Mar-19 09:23 UTC
AD ldap, filter to exclude various kinds of expired, disabled etc etc users
Hi, For the archives, the below user_filter works nicely: user_filter = (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512)) But another option, taken from the samba mailinglist is: user_filter = (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2) This one excludes various kinds of disabled accounts, including 514. The second one might actually be better. MJ On 8-3-2019 13:39, mj via dovecot wrote:> Hi, > > I was revising our AD ldap user_filter and pass_filter to exclude more > types of expired / disabled accounts. > > I started adding things like: > >> (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608))) >> > > but then I thought, why not simply do: > >> (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512)) > > as 512 would your regular active user accounts only, excluding all other > account types. > > Looking here > (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) > there are some many different userAccountControl to check, that it might > be smarter to only allow userAccountControl=512, or....? > > Any ideas on this..? > > (or examples of how you do it?) > > MJ